Most cyber threat intelligence (CTI) programs work similarly: businesses pay for commercial intelligence feeds and then combine them with insights from their own risk assessments. Monitoring usually looks for leaked passwords, security vulnerabilities, signs of malware, threat actors, and sometimes brand impersonation or activity on the dark web.

It is a model that works well in many areas, but it has a big hole.

This article discusses how a notable category of cyber risk - publicly accessible, high-value artefacts hosted on reputable, mainstream platforms - frequently eludes the detection mechanisms of commercial CTI solutions. Because of this, businesses may unknowingly face long-term unmitigated risk exposure.

The Coalition of Cyber Investigators has found sensitive customer data and operational artefacts in places that are not part of the "dark web" and do not need special skills or techniques to access. This contradicts a common misconception that serious exposure usually occurs in secret or illegal locations.

From Signs to Things

Traditional CTI is best for processing large volumes of indicators of compromise (IOCs), such as IP addresses, domains, hashes, and infrastructure, and reinforces the importance of automation and speed.

But modern cybercrime works on a different level.

Criminals are increasingly using tangible items such as real documents, identity materials, templates, and procedural insights. These artefacts enable fraud, impersonation, and reconnaissance before an attack. The emergence of "Fraud-as-a-Service" (FaaS) models illustrates the industrialisation of cybercrime, reducing entry barriers for individuals with limited technical expertise and creating an established market for such services.

This is important for three key reasons.

First, accessibility. If something is indexed and made publicly available without requiring specialist access or skill sets, it becomes a low-friction resource for criminals. That lowers the cost of entry and increases volume.

Second, trust. These locations tend to enjoy greater implicit trust, and companies often overlook places that appear legitimate and less risky. This is evidenced by the fact that many of the documents and digital artefacts encountered in cases investigated by The Coalition of Cyber Investigators have been publicly available (in volume) for many years, yet remained undetected by commercial CTI monitoring solutions.

Third, persistence. When content is hosted on mainstream services, it can remain accessible for years. Sometimes over a decade. By the time an organisation notices, the material may have been downloaded and viewed thousands of times, mirrored, archived, re-uploaded, or incorporated into fraud kits and criminal playbooks.

Even if fraud or other criminal activity is taken out of the equation, this situation still poses a significant risk to an organisation's reputation and image, particularly when large volumes of customer data from different operational geographies remain publicly available for extended periods. It can erode trust and create an air of incompetence, particularly when threats go undetected for long periods.

Root Causes

It is easy to think that advanced attacks are to blame for data exposure. This is true sometimes, but often, exposures come from much more routine and systemic problems.

In real life, employees and third-party providers often prioritise convenience over compliance, uploading or sharing sensitive documents in ways that violate company rules. In some cases, this behaviour results from long-standing operational workarounds. In other cases, it is the result of time pressure, where speed is more important than following the rules. More fundamentally, many teams don't have a clear, practical understanding of what "confidential" data is, indicating a gap in training and awareness.

These patterns show an uncomfortable truth: even a well-thought-out governance framework can fail when put into action. Human behaviour, not technical flaws, is often what causes exposure.

What Is Really Being Exposed

For this conversation, and to protect sources without putting people whose data is exposed at greater risk, it's enough to be clear about the kinds of material we're discussing without naming the hosting locations.

The materials we are typically identifying in such cases include:

• Customer Personally Identifiable Information (PII) and confidential documents

• Identity details like passports, driver's licenses, and ID numbers

• Paperwork for applying for financial products, real signatures, utility bills, account documents, and other sensitive personal information.

This is exactly the kind of information that criminals use to make "fullz," create fake identities, and run scams to open and take over accounts. But we also see "fraud enablement" artefacts such as:

• Editable documents used for invoices, supplier impersonation, payroll, or procurement fraud. In this context, templates form part of a "fraud kit," that can be used repeatedly.

• Internal process documents, training materials, and operational language that help criminals appear to know the company, making a scam seem more realistic. This helps with pretexting, business email compromise, and deepfake video attacks, where having credibility and insider knowledge is invaluable.

When all this information is combined, it can create something more useful than a leaked password. For instance, it can show how an organisation verifies identity, moves money, and handles exceptions.

Why CTI Feeds Don't Show This

This is the area where senior stakeholders tend to be most shocked. Many of the organisations that are affected already have strong, well-thought-out controls in place for customer PII and have invested heavily in CTI feeds and breach-detection technologies. They feel confident that they are managing the risk. It's not being complacent; it's a lack of proof to the contrary.

But the truth is that this kind of exposure doesn't always get reported back through those feeds. Not because the feeds are "bad," but because the model they use doesn't see trusted, public, mainstream web-based sites as high risk. We say this with confidence as we regularly detect what appears to be customer PII or business-sensitive data belonging to some of the most heavily regulated and well-managed companies in the world, in such locations.

To better identify risk, this investigative gap needs attribution and context, not just keyword hits or historical findings. There also needs to be a manual review to help determine whether the content is sensitive to business or contains customer PII.

To address this blind spot, you can't just add another feed. It requires research that combines Open-Source Intelligence (OSINT), evidence-based attribution, and risk interpretation.

In practice, that means setting up flexible, manual OSINT workflows designed to help:

• Find risks in public, high-authority online spaces that aren't regularly checked by commercial feeds.

• Validate the relevance and authenticity against your own internal systems to see if it is a real document, a FaaS artefact, or sometimes a mix of the two.

• Track trends over time, such as duplicate files, upload patterns, and naming conventions.

• Monitor mirror sites, archiving services like the Wayback Machine, and search engine web caches where copies of hacked content might still be stored.

• Improve and add context to commercial CTI feeds, which tend not to work well in these scenarios.

• Go beyond annual audits: Vendor risk assessment can't be a once-a-year checkbox item. It needs to be a continuous, dynamic process.

The Cyber Threat Intelligence Blind Spot: Hidden in Plain Sight

Example of a Case (Abstracted)

An investigation uncovered a substantial quantity of customer identity documents indexed on a widely used document-sharing platform. The information had been available to the public for several years and came from a third-party operational process.

Even though the organisation had advanced CTI capabilities and strong data protection controls, the exposure had not been detected by the monitoring systems already in place. It is very likely that the data had already been downloaded, copied, and added to larger fraud networks by the time it was found.

This example makes a very important point: exposure can persist without being noticed, not because there are no controls, but because coverage is not complete.

Conclusion

If your business holds customer PII and you're responsible for cyber risk, fraud prevention, investigations, or privacy, you should ask yourself one simple question.

Are you sure that your company would know if any customer PII, fraud artefacts, or sensitive business documents were available to the public on common online platforms in the last ten years?

Most teams say "yes" because they have invested in mature security solutions and full CTI feeds. However, in real life, that trust may be misplaced - we often see evidence that this kind of exposure can be missed by commercial CTI tools.

Many of the businesses we've worked with in this area now understand that mature security controls can, and often do, coexist with long-term, undetected compromises because the exposure often lies outside the controls' focus.

If sensitive data has been visible for years without detection, the problem is not a lack of capability; it is coverage. Every assurance you rely on is based on incomplete evidence until you fill that gap, because attackers don't work within your control boundaries.

This is where manual OSINT techniques and workflows really shine. They aren't limited by predetermined feeds or detection logic. They provide context, are evidence-based, and, when used correctly, can fill in the gaps that commercial CTIs often miss.

One of the most dangerous things a risk leader can do is think that their current tools see everything. Benjamin Franklin said it best almost 300 years ago: "Distrust and caution are the parents of security."

How We Do Things Differently

The Coalition of Cyber Investigators uses a proprietary methodology to find and monitor high-risk artefacts that aren't covered by traditional CTI. We don't just see the public internet as a place to search for keywords; we see it as an evidential and investigative environment.

The output from our work isn't just a bunch of links. It is an evidence-based assessment of real exposure, linked to real fraud and pre-attack scenarios that can act as a pipeline for investigation, takedown, and reporting activities. It's also a conversation about compliance, because some of these exposures stem from policy violations and procedural gaps rather than from external attacks and may result in significant regulatory reporting and remediation obligations.

Authored by:

The Coalition of Cyber Investigators,Paul Wright (United Kingdom) & Neal Ysart (Philippines).

©2026 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between

Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator;

Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader; and

Lajos Antal (Hungary) - Highly experienced expert in cyberforensics, investigations, and cybercrime.

The Coalition unites leading experts to deliver cutting-edge research, OSINT, Investigations, & Cybercrime Advisory Services worldwide.

Our co-founders, Paul Wright and Neal Ysart, offer over 80 years of combined professional experience. Their careers span law enforcement, cyber investigations, open source intelligence, risk management, and strategic risk advisory roles across multiple continents.

They have been instrumental in setting formative legal precedents and stated cases in cybercrime investigations and contributing to the development of globally accepted guidance and standards for handling digital evidence.

Their leadership and expertise form the foundation of the Coalition’s commitment to excellence and ethical practice.

Alongside them, Lajos Antal, a founding member of our Boiler Room Investment Fraud Practice, brings deep expertise in cybercrime investigations, digital forensics, and cyber response, further strengthening our team’s capabilities and reach.

The Coalition of Cyber Investigators, with decades of hands-on experience in cyber investigations and OSINT, is uniquely positioned to support organisations facing complex or high-risk investigations. Our team’s expertise is not just theoretical - it’s built on years of real-world investigations, a deep understanding of the dynamic nature of digital intelligence, and a commitment to the highest evidential standards.